According to reports, nearly 70% of enterprises were moving mission-critical business functions and processes to the cloud before the pandemic. In today’s new normal, that number has skyrocketed. Organizations increasingly rely on mission-critical cloud applications, such as SAP SuccessFactors and Salesforce, to help modernize business practices, streamline processes, and provide increased flexibility to adapt to work-from-anywhere initiatives.
However, to obtain the most value from these applications delivered through SaaS, PaaS, and IaaS cloud service models, enterprises often integrate and connect applications to ensure seamless information sharing. These connections can create a complex web that makes it challenging for IT and security teams to develop a clear understanding of risks.
With the lack of visibility, it’s not unrealistic that risk introduced in one application through misconfigurations, lapse in user privilege, or overlooked vulnerability can put an entire enterprise at risk. In order to keep businesses’ applications (and the sensitive information they store) secure and compliant, organizations need to first understand the risks with which they are operating and then ask some tough questions to ensure they’re keeping their business protected.
So, what do these risks look like in the real-world?
Security Concerns in the World of Cloud and SaaS Business Applications
To fully understand what risks look like, it’s helpful to consider everyday examples of typical business applications. Let’s look at popular solutions like SAP SuccessFactors and Salesforce, for instance.
SAP SuccessFactors is a leader in cloud human capital management and more than 150,000 businesses use Salesforce across the globe. These popular mission-critical SaaS applications process millions of employee, customer, financial and other sensitive data points each day. While each offering has security functionality built-in, it doesn’t consider the way organizations deploy, operate and integrate applications. It also doesn’t offer the depth and breadth of insight needed to analyze and address risks that could impact other processes and applications – from the core to the cloud.
For instance, neither application considers the following questions: What if system and security administrators can see and edit more than they should? What if staff members can create rogue users and assign elevated privileges? What if users can act as security administrators? What if a user uploads malicious content?
Lack of answers to these questions can lead to security, privacy and fraud problems with excessive authorizations, segregation of duties, user impersonations, misconfigurations, faulty integrations and more.
For SuccessFactors, without this insight, it’s difficult to know whether secure third-party systems are integrating to your instance of the HCM. Corrupt third-party applications could intercept and modify files or even try to utilize existing connections to get into your SuccessFactors instance and obtain sensitive employee, payroll, and hiring policy information.
Additionally, losing sight of privileged authorizations in a solution like Salesforce could result in an unauthorized user viewing sensitive customer, sales data, pricing and financial information. If a bad actor did this, they could even export data on a mass scale, causing severe privacy concerns (think GDPR) that can be detrimental to a company’s bottom line and brand.
To combat these risks, it’s time for IT and security teams to ask some tough questions to keep these robust solutions safe.
Critical Security and Compliance Questions to Consider
Any IT, security and compliance team that’s looking at a complex, interconnected application ecosystem needs to take the time to ask these three key questions to ensure they understand what’s at stake and how to mitigate risk:
- How can we limit misconfigurations and integration risks? The first step to restrict these risks is to understand the underlying technology of each mission-critical application. Many systems are complex platforms that have been developed over time organically and through acquisitions. Understanding how applications work and operate, internally and with other applications, can provide an idea of where security red flags could arise. The next step is to create an asset map that highlights where cloud and on-premises applications intersect. This provides greater clarity on how and where data moves and where potential security gaps fall.
- How can we stay on top of all our user privileges? As some processes span multiple applications, the ability to correlate and track users is vital to ensuring effective segregations of duties. Beyond following best practices for user privileges, organizations should consider technology that tracks and flags abnormal user behavior. For instance, should an intern have access to payroll? No. These tools can raise alarms when privileges have been escalated without permission, so security teams can act quickly before nefarious events transpire.
- What’s the key to keeping systems and data compliant? Audit teams often struggle to find one source of truth for industry regulations since multiple teams leverage SaaS applications, and each application usually connects to other systems. Moreover, once they can check compliance, it’s often only at a point in time. Automation is key to simplifying these cumbersome tasks. A next-generation solution should analyze connections between applications and highlight errors, where they originate, and how to fix them to meet audit mandates. This saves time and money and pushes organizations into a rare level of “continuous compliance” instead of a place in time.
SaaS and cloud applications are revolutionizing the speed and how businesses around the world work. However, it’s essential to understand the risks that may be introduced by organizations while adopting these powerful mission-critical applications if not properly managed. While flexibility gains are important, misconfigurations, unauthorized or excessive privileges, and other vulnerabilities can cause breaches that derail an enterprise completely. Organizations should continue to ask these critical questions, follow security best practices, and partner with experts to address common application security and compliance pitfalls.
By Juan Pablo Perez-Etchegoyen
As CTO, JP leads the innovation team that keeps Onapsis on the cutting edge of the Business-Critical Application Security market, addressing some of the most complex problems that organizations are currently facing while managing and securing their ERP landscapes. JP helps manage the development of new products as well as support the ERP cybersecurity research efforts that have garnered critical acclaim for the Onapsis Research Labs.
JP is regularly invited to speak and host trainings at global industry conferences, including Black Hat, HackInTheBox, AppSec, Troopers, Oracle OpenWorld and SAP TechEd, and is a founding member of the Cloud Security Alliance (CSA) Cloud ERP Working Group. Over his professional career, JP has led many Information Security consultancy projects for some of the world’s biggest companies around the globe in the fields of penetration and web application testing, vulnerability research, cybersecurity infosec auditing/standards, vulnerability research and more.